Ashay Chitnis wrote: > Hi all, > > I am having cyrus-imapd and cyrus-sasl running on the Mail Server with > saslauthd passing the authentication to ldap server. This is working fine. > > I have to integrate it with my AD server. The problem is my ldap > server uses the uid as "abc@xxxxxxx <mailto:abc@xxxxxxx>" to > authenticate. But the AD server takes the user name as "abc". Is > there any way i can use mapping in saslauthd so that abc@xxxxxxx > <mailto:abc@xxxxxxx> is take by imapd but ONLY for authentication > abc@xxxxxxx <mailto:abc@xxxxxxx> is mapped to abc? > > On net i saw there is a canon_user plugin in cyrus sasl, anyone has > idea how to use it to achieve the above objective? Ashay, You may be able to accomplish this by specifying a defaultdomain of xyz.com, assuming that you have virtdomains: userid' set. If not, there is an ldapdb canon_user plugin in CVS (sasl). Documentation is included in the doc/options.html file. It requires that your ldap server support authc/authz (proxy) authentication and the 'whoami' extended operation. It works independently of your authentication configuration, so you should not have to use the ldapdb auxprop plugin (but you may want to). My imapd.conf looks like: sasl_ldapdb_uri: ldap://ldap.example.net sasl_ldapdb_mech: GSSAPI sasl_ldapdb_canon_attr: uid imap_sasl_canon_user_plugin: ldapdb pop3_sasl_canon_user_plugin: ldapdb The ldapdb canon_user plugin works by authenticating as a user with escalated permissions (in my case a GSSAPI user) and using the submitted username 'abc' as the authorization identity. It will search for the attribute you specified in 'ldapdb_canon_attr' within the user's (abc's) entry, and return it as the canonicalized username. imapd with use the canonicalized username (abc@xxxxxxx) when searching for the user's mailbox. - Dan ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
